This environment may only be started from the Cloud Sandbox
To Orchestration and Beyond
Your CTO was impressed with your ability to show that AKS can easily support your application using a test deployment. However, you agreed that this deployment would not pass muster with your internal security team or meet audit requirements. Going forward, you’ll need to configure a cluster that will ultimately become part of Humongous Insurance’s existing cloud infrastructure.
Challenge
Your team’s goal in this challenge is to create and configure a Kubernetes cluster on Azure with the appropriate security measures in place. Your company deals with sensitive information, so it is imperative that you address security when configuring your cluster. You need to enable cluster authentication managed through your company’s Azure Active Directory (AAD) tenant and implement Role-Based Access Control (RBAC), protect your resources by using a dedicated Virtual Network (VNet) and protect the most critical part of your Kubernetes cluster, the Kubernetes API Server.
Keep in mind these are just the first steps of securing your cluster. You will be asked to further improve your security in later challenges.
As you configure your cluster, your CTO would like you to consider Availability, Network Requirements, and Access.
Availability
- Users of TripInsights expect their data to be accurate and up-to-date at all times. It’s important to consider the availability of the application to inform your decision on the number of nodes in your cluster.
Network Requirements
- Due to the size of Humongous Insurance, many of the private IP address spaces are being used. You were lucky enough to get your networking team to give you an IP range for running applications within Azure. There is an existing VNet in your subscription that represents the IP range that has been allocated for your team (both for your cluster and other resources).
- Pods on your cluster should be able to directly communicate with other resources on the VNET via private IP addresses.
Protecting Resources with a VNet
As with many other Azure services, you can protect your Kubernetes nodes by placing them into a VNet. The use of a VNet prevents unauthorized external connections, and can increase the security of corresponding managed services.
Access
- Access to the Kubernetes API server should be limited to those who need it, and the level of access should depend on the intended use.
- You may have noticed the other users in your Active Directory tenant. While you are part of the Admin team and should have permissions to access any resource in the cluster, there are two other users from the Web and API teams in your AAD tenant:
- web-dev user (View access for API resources, Edit access for Web resources).
- api-dev user (View access to Web resources, Edit access to API resources)
Tip: Segmenting cluster resources with namespaces will help manage access. Think through how namespaces might change existing configuration details such as service name resolution.
Use of RBAC (Role-Based Access Control)
RBAC is used to assign Roles (a group of permissions to resources) to Users (any entity that accesses a resource interactively) or Service accounts (any entity that accesses a resource non-interactively and independent of a User).
Using these constructs allows you to separate permissions between different users and engage in the Principle of Least Privilege. This principle suggests that any User or Service account should be assigned Role(s) with the minimum privilege necessary to access the resources that they require to complete their operational role against the cluster and for each application.
Note: When working with AKS, it’s important to be aware of both Azure RBAC and Kubernetes RBAC.
Success Criteria
- Your team successfully created an RBAC enabled AKS cluster within the address space allocated to you by the network team
- Your team successfully redeployed the TripInsights application, now segmented into
apiandwebnamespaces, into the cluster - Your team must demonstrate connectivity to and from your cluster by being able to reach the
internal-vm(already deployed) - Your team must demonstrate that you are prompted on cluster access to authenticate with AAD
- Different members of your team must be able to connect to your cluster using the api-dev and web-dev AAD users and demonstrate appropriate access levels
References
Networking for AKS
Access and Identity for AKS
- Access and identity options
- AKS-managed Azure Active Directory integration
- Control Kubeconfig Access
- Use Azure AD and Kubernetes RBAC for clusters
Availability
Kubernetes
OpenHack
Hello and welcome to OpenHack, a challenge oriented hack event from Microsoft. You will be presented with a series of challenges, each one more difficult than the one before.
You should already be assigned to and seated with a team, with whom you will attempt to solve as many challenges as you can within today’s hack time.
You have been assigned a coach who will be your first point of contact, and is here to support you and answer questions during the hack. They will not, however, solve the challenges for you.
You may notice a resource group called teamResources in your Azure subscription. This resource group contains any pre-provisioned resources referenced in the challenges.
The Premise
You work for Humongous Insurance. One of their products provides customers the opportunity to qualify for lower car insurance rates. Customers can do this by opting in to use Humongous Insurance’s TripInsights app, which collects data about their driving habits. Your team has been assigned to modernize the application and move it to the cloud.
The TripInsights application, once a monolith, has been refactored into a number of microservices:
- Trip Viewer WebApp (
.NET Core): Your customers use this web application to review their driving scores and trips. The trips are being simulated against the APIs within the OpenHack environment. - Trip API (
Go): The mobile application sends the vehicle’s on-board diagnostics (OBD) trip data to this API to be stored. - Points of Interest API (
.NET Core): This API is used to collect the points of the trip when a hard stop or hard acceleration was detected. - User Profile API (
NodeJS): This API is used by the application to read the user’s profile information. - User API (
Java): This API is used by the application to create and modify the users.
The source code of all the microservices is available here.
The Challenges
Each challenge will lead you through a stage of the technical investigation as briefly laid out by your fictional CTO. These investigations become more technically challenging as you progress.
We do not provide guides or instructions to solve the challenges, just a few hints and documentation references that you may find useful. There are multiple ways to solve each challenge, and very likely some we haven’t thought of. We’re interested in seeing your own unique solutions to each problem, and you should absolutely work with your coaches and the OpenHack Team to validate your solution as correct.
One final tip: Read everything very carefully
The OpenHack team have worked hard to ensure each problem is solvable. All the details you should need are within the challenge briefs, which are very carefully written and worded to give you clues toward the solution. Reading them fully is the best way to figure out a solution, as small points can be easily missed. Your coaches will help to fill gaps in your understanding, provided you ask them the right questions.